Download as
Browse Code »

Commit df683687f3bf6d33443509a62d87679062dbf51e

Authored by Sergio Oliveira
1 parent ad74ff80
Exists in master and in 90 other branches 3.x, add_sisp_to_chef, add_super_archives_plugin, api_for_colab, automates_core_packing, backup, backup_not_prod, cdtc_configuration, changes_in_buttons_on_content_panel, colab_automated_login, colab_spb_plugin_recipe, colab_widgets_settings, design_validation, dev-lappis, dev_env_minimal, disable_email_dev, docs, fix_breadcrumbs_position, fix_categories_software_link, fix_edit_institution, fix_edit_software_with_another_license, fix_get_license_info, fix_gitlab_assets_permission, fix_list_style_inside_article, fix_list_style_on_folder_elements, fix_members_pagination, fix_merge_request_url, fix_models_translations, fix_no_license, fix_software_api, fix_software_block_migration, fix_software_communities_translations, fix_software_communities_unit_test, fix_style_create_institution_admin_panel, fix_superarchives_imports, fix_sym_links_noosfero, focus_search_field_theme, gov-user-refactoring, gov-user-refactoring-rails4, header_fix, institution_modal_on_rating, kalibro-conf-refactoring, kalibro-processor-package, lxc_settings, margin_fix, mezuro_cookbook, performance, prezento, r3, refactor_download_block, refactor_software_communities, refactor_software_for_sisp, register_page, release-process, release-process-v2, remove-unused-images, remove_backup_emails, remove_broken_theme, remove_secondary_email_from_user, remove_sisp_buttons, removing_super_archives_email, review_message, scope2method, signals_user_noosfero, sisp_catalog_header, sisp_colab_config, sisp_dev, sisp_dev_master, sisp_simple_version, software_as_organization, software_catalog_style_fix, software_communities_html_refactor, software_infos_api, spb_minimal_env, spb_to_rails4, spec_refactor, stable-4.1, stable-4.2, stable-4.x, stable-devel, support_docs, syslog, temp_soft_comm_refactoring, theme_header, theme_javascript_refactory, thread_dropdown, thread_page, update_search_by_categories, update_software_api, update_softwares_boxes

Manage firewall rules using templates and envs

Showing 13 changed files with 99 additions and 82 deletions   Show diff stats
@@ -9,6 +9,7 @@ $SPB_ENV = ENV.fetch('SPB_ENV', 'local') @@ -9,6 +9,7 @@ $SPB_ENV = ENV.fetch('SPB_ENV', 'local')
9 ssh_config_file = "config/#{$SPB_ENV}/ssh_config" 9 ssh_config_file = "config/#{$SPB_ENV}/ssh_config"
10 ips_file = "config/#{$SPB_ENV}/ips.yaml" 10 ips_file = "config/#{$SPB_ENV}/ips.yaml"
11 config_file = "config/#{$SPB_ENV}/config.yaml" 11 config_file = "config/#{$SPB_ENV}/config.yaml"
  12 +iptables_file = "config/#{$SPB_ENV}/iptables-filter-rules"
12 13
13 ENV['CHAKE_SSH_CONFIG'] = ssh_config_file 14 ENV['CHAKE_SSH_CONFIG'] = ssh_config_file
14 15
@@ -20,9 +21,11 @@ end @@ -20,9 +21,11 @@ end
20 21
21 config = YAML.load_file(config_file) 22 config = YAML.load_file(config_file)
22 ips = YAML.load_file(ips_file) 23 ips = YAML.load_file(ips_file)
  24 +firewall = File.open(iptables_file).read
23 $nodes.each do |node| 25 $nodes.each do |node|
24 node.data['config'] = config 26 node.data['config'] = config
25 node.data['peers'] = ips 27 node.data['peers'] = ips
  28 + node.data['firewall'] = firewall
26 end 29 end
27 30
28 task :console do 31 task :console do
config/development/iptables-filter-rules 0 → 100644
  Diff comments   View file @df68368
@@ -0,0 +1,29 @@ @@ -0,0 +1,29 @@
  1 +
  2 +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
  3 +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
  4 +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT
  5 +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  6 +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  7 +
  8 +-A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  9 +
  10 +
  11 +# UnB
  12 +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
  13 +-A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  14 +
  15 +
  16 +# Sergio Oliveira
  17 +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  18 +-A INPUT -s 189.5.248.31/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  19 +
  20 +
  21 +# Antonio Terceiro
  22 +-A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  23 +-A INPUT -s 189.4.54.241/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
  24 +
  25 +
  26 +-A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  27 +-A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT
  28 +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT
  29 +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT
config/local/iptables-filter-rules 0 → 100644
  Diff comments   View file @df68368
@@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@
  1 +
  2 +# No environment rules
config/production/iptables-filter-rules 0 → 100644
  Diff comments   View file @df68368
@@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@
  1 +
  2 +# No environment rules
cookbooks/firewall/recipes/default.rb 0 → 100644
  Diff comments   View file @df68368
@@ -0,0 +1,14 @@ @@ -0,0 +1,14 @@
  1 +
  2 +package 'iptables-services'
  3 +
  4 +service 'iptables' do
  5 + action [:enable, :start]
  6 + supports :restart => true
  7 +end
  8 +
  9 +template '/etc/sysconfig/iptables' do
  10 + owner 'root'
  11 + group 'root'
  12 + mode 0644
  13 + notifies :restart, 'service[iptables]'
  14 +end
cookbooks/firewall/templates/default/development.erb
View file @ad74ff8
@@ -1,35 +0,0 @@ @@ -1,35 +0,0 @@
1 -  
2 -<% content_for :iptables_filter do %>  
3 -  
4 --A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT  
5 --A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT  
6 --A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT  
7 --A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT  
8 --A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT  
9 -  
10 --A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT  
11 -  
12 -  
13 -# UnB  
14 --A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT  
15 --A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT  
16 -  
17 -  
18 -# Sergio Oliveira  
19 --A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT  
20 --A INPUT -s 189.5.248.31/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT  
21 -  
22 -  
23 -#i Antonio Terceiro  
24 --A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT  
25 --A INPUT -s 189.4.54.241/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT  
26 -  
27 -  
28 --A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT  
29 --A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT  
30 --A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT  
31 --A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT  
32 -  
33 -<% end %>  
34 -  
35 -<%= render 'firewall-common.erb' %>  
cookbooks/firewall/templates/default/firewall-common.erb
View file @ad74ff8
@@ -1,37 +0,0 @@ @@ -1,37 +0,0 @@
1 -  
2 -### FILTER RULES ###  
3 -  
4 -*filter  
5 -  
6 -:INPUT ACCEPT [0:0]  
7 -:FORWARD ACCEPT [0:0]  
8 -:OUTPUT ACCEPT [0:0]  
9 -  
10 --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  
11 -  
12 --A INPUT -p icmp --icmp-type 3/4 -j ACCEPT  
13 --A INPUT -p icmp --icmp-type 3/3 -j ACCEPT  
14 --A INPUT -p icmp --icmp-type 3/1 -j ACCEPT  
15 --A INPUT -p icmp --icmp-type 4 -j ACCEPT  
16 --A INPUT -p icmp --icmp-type 11 -j ACCEPT  
17 --A INPUT -p icmp --icmp-type 12 -j ACCEPT  
18 -  
19 --A INPUT -i lo -j ACCEPT  
20 -  
21 -<%= yield :iptables_filter %>  
22 -  
23 --A INPUT -j LOG --log-prefix "Firewall INPUT: "  
24 --A INPUT -j DROP  
25 --A FORWARD -j LOG --log-prefix "Firewall FORWARD: "  
26 --A FORWARD -j DROP  
27 -  
28 -COMMIT  
29 -  
30 -  
31 -### NAT Rules ###  
32 -  
33 -*nat  
34 -  
35 -<%= yield :iptables_nat %>  
36 -  
37 -COMMIT  
cookbooks/firewall/templates/default/iptables-filter.erb 0 → 100644
  Diff comments   View file @df68368
cookbooks/firewall/templates/default/iptables-nat.erb 0 → 100644
  Diff comments   View file @df68368
cookbooks/firewall/templates/default/iptables.erb 0 → 100644
  Diff comments   View file @df68368
@@ -0,0 +1,34 @@ @@ -0,0 +1,34 @@
  1 +
  2 +### FILTER RULES ###
  3 +
  4 +*filter
  5 +
  6 +:INPUT ACCEPT [0:0]
  7 +:FORWARD ACCEPT [0:0]
  8 +:OUTPUT ACCEPT [0:0]
  9 +
  10 +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  11 +
  12 +-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT
  13 +-A INPUT -p icmp --icmp-type 3/3 -j ACCEPT
  14 +-A INPUT -p icmp --icmp-type 3/1 -j ACCEPT
  15 +-A INPUT -p icmp --icmp-type 4 -j ACCEPT
  16 +-A INPUT -p icmp --icmp-type 11 -j ACCEPT
  17 +-A INPUT -p icmp --icmp-type 12 -j ACCEPT
  18 +
  19 +-A INPUT -i lo -j ACCEPT
  20 +
  21 +<%= node['firewall'] %>
  22 +<%= render 'iptables-filter.erb' %>
  23 +
  24 +-A INPUT -j LOG --log-prefix "Firewall INPUT: "
  25 +-A INPUT -j DROP
  26 +-A FORWARD -j LOG --log-prefix "Firewall FORWARD: "
  27 +-A FORWARD -j DROP
  28 +
  29 +COMMIT
  30 +
  31 +
  32 +*nat
  33 +<%= render 'iptables-nat.erb' %>
  34 +COMMIT
cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb 0 → 100644
  Diff comments   View file @df68368
@@ -0,0 +1,9 @@ @@ -0,0 +1,9 @@
  1 +
  2 +# HTTP Ports
  3 +-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT
  4 +
  5 +# Port redirect to gitlab host (integration)
  6 +-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
  7 +
  8 +# Real SSH connection
  9 +-A INPUT -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT
cookbooks/firewall/templates/host-reverseproxy/iptables-nat.erb 0 → 100644
  Diff comments   View file @df68368
@@ -0,0 +1,6 @@ @@ -0,0 +1,6 @@
  1 +
  2 +# Forward reverseproxy:22 to integration:22 (required to enable git pushes over SSH)
  3 +
  4 +-A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22
  5 +
  6 +-A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %>
cookbooks/firewall/templates/host-reverseproxy/iptables.erb
View file @ad74ff8
@@ -1,10 +0,0 @@ @@ -1,10 +0,0 @@
1 -  
2 -<% content_for :iptables_nat do %>  
3 -  
4 -# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH  
5 --A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22  
6 --A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %>  
7 -  
8 -<% end %>  
9 -  
10 -<%= render 'development.erb' %>